The 90-Day Vulnerability Disclosure Policy is Dead: AI Accelerates Security Timelines

From Comfortable Head Start to T-Minus Zero: AI Rewrites the Exploit Lifecycle

Imagine this scenario: It’s May 7th, 2026. As a seasoned system administrator overseeing a critical infrastructure, you’re alerted to a newly disclosed Linux kernel vulnerability, “Dirty Frag” (CVE-2026-43284, CVE-2026-43500). The advisory paints a grim picture: the exploit is already public, actively weaponized, and demonstrated by Microsoft’s internal security teams. The recommended mitigation? Disabling your IPSec modules across 400 production servers. This isn’t a hypothetical future; this is the immediate, jarring reality of modern vulnerability management, a reality where the traditional 90-day vulnerability disclosure window has effectively dissolved. The assumption that vendors have weeks, even months, to patch critical flaws before attackers can weaponize them is no longer valid. Artificial intelligence has shattered this illusion, forcing a fundamental reevaluation of our security timelines.

The AI Crucible: From Patch Diff to Public Exploit in Minutes

The traditional cadence of vulnerability discovery and exploitation was built on human limitations. Researchers would find bugs, spend days or weeks crafting proof-of-concept exploits, and vendors would then have a comfortable head start of 90 days (or more) to develop and deploy patches. This era is over. AI-powered tools, such as the hypothetical “GPT-5.5-Cyber (Daybreak)” and “Claude Mythos,” are now capable of ingesting patch diffs from open-source projects or leaked advisories and generating functional exploits in under 30 minutes. This isn’t a theoretical leap; it’s a demonstrated capability that has reshaped the threat landscape.

Consider the recent Linux kernel vulnerabilities, “Copy Fail” (CVE-2026-31431) and “Dirty Frag” (CVE-2026-43284, CVE-2026-43500). While the “Copy Fail” vulnerability itself might have had a proposed mitigation (algif_aead blacklist), it did not prevent the subsequent exploitation of “Dirty Frag.” This illustrates a critical point: the speed at which AI can identify exploitable patterns and chain vulnerabilities far outpaces human-driven patch deployment cycles. What once took significant human effort and expertise can now be automated, amplified, and accelerated to alarming degrees. The “days or weeks” to develop an exploit has become “minutes,” rendering the 90-day disclosure policy not just outdated, but actively dangerous. This acceleration means that by the time a vulnerability is disclosed under the old model, it may already be a zero-day in active exploitation.

Ecosystem Under Strain: The “Dead on Arrival” Disclosure Policy

The security community’s consensus is stark: the 90-day vulnerability disclosure policy is “dead” or “broken beyond repair.” This sentiment is not confined to academic discussions; it’s a lived experience for researchers and organizations alike. We are witnessing a shift towards more aggressive disclosure timelines driven by the reality of exploit speed.

Organizations like Rapid7 are already adapting, implementing tiered disclosure policies that shorten the window based on exploit severity and active exploitation. Their default is often 60 days, but for vulnerabilities actively being exploited in the wild, the expectation can shrink to as little as 72 hours. Google Project Zero, historically a proponent of longer disclosure periods, has evolved its policy to a “90+30” model, allowing 90 days for a fix and 30 days for public details, but critically, they reserve the right to disclose within 7 days for in-the-wild exploitation, with a mere 3-day grace period. Even governmental bodies like CISA are reportedly considering a 3-day remediation deadline for critical flaws. These are not minor adjustments; they are fundamental shifts reflecting the new reality of a hyper-accelerated threat environment.

This ecosystem shift forces a difficult trade-off. For software vendors, the old model provided a buffer. Now, they face the immediate pressure to develop, test, and deploy patches for critical vulnerabilities almost as quickly as they are discovered. For researchers, the ethical tightrope of responsible disclosure is fraught with the risk that their findings could be weaponized by AI-driven attackers before a patch is even conceived.

The Hard Limits: When Human Pace Meets AI Velocity

The most significant consequence of AI’s acceleration is the obsolescence of human-paced vulnerability management and traditional monthly patch cycles. Organizations cannot realistically expect to deploy patches faster than sophisticated AI tools can develop exploits. This creates a dangerous gap where even disclosed vulnerabilities present an immediate risk.

When should the 90-day disclosure policy be actively avoided? For any critical vulnerability, especially those that are easily discoverable or demonstrably weaponized by AI, the 90-day window is a liability. The assumption that a vulnerability is “safe” for months simply doesn’t hold anymore. Large, complex organizations with legacy systems are particularly vulnerable. They struggle with the logistical challenges of testing and deploying patches across diverse environments, making them prime targets for rapid exploitation. The scaling back of NVD enrichment by NIST further exacerbates this, placing a greater burden on organizations to independently prioritize risks, a task made exponentially harder when exploit development is near-instantaneous.

This leads to a critical dilemma: “emergency patching creates operational disruption and testing challenges.” You are caught between the rock of remaining vulnerable to active exploitation and the hard place of deploying untested patches that could destabilize your entire infrastructure. This is the hard truth: the old model fails at scale because it’s built on an entirely outdated understanding of exploit speed and discovery rarity.

Navigating the Chaos: Intelligent Exposure Management and Real-Time Defense

The death of the 90-day policy is not an endpoint, but a catalyst for innovation. The immediate imperative is to adopt proactive, intelligence-driven security strategies that move beyond reactive patching cycles. The focus must shift from managing vulnerabilities to managing exposure.

The notion of “fix immediately” for critical bugs is no longer a recommendation; it’s a necessity. This necessitates integrating AI directly into the Software Development Lifecycle (SDLC) and CI/CD pipelines. Real-time security reviews, automated vulnerability scanning that leverages AI for pattern recognition, and continuous security testing become paramount. This allows for the detection and remediation of vulnerabilities before they are ever committed to production.

Furthermore, embracing intelligence-driven exposure management allows organizations to prioritize their efforts. Instead of treating all vulnerabilities equally, the goal is to identify and mitigate the critical 3% that pose the most significant risk. This involves correlating vulnerability data with asset criticality, threat intelligence on active exploitation, and an understanding of how AI might weaponize specific flaws.

One critical gotcha to be aware of is “triage fatigue.” Maintainers are already facing a deluge of AI-generated vulnerability reports. Many of these reports are “plausible-sounding but entirely hallucinated,” consuming valuable human time that could be spent on genuine threats. This highlights the need for sophisticated AI-powered triage systems that can distinguish signal from noise.

Another concerning trend is the “silent bounty” problem. AI platform vendors may receive vulnerability reports that, for various reasons, do not result in a CVE, public advisory, or coordinated disclosure. This leaves users unknowingly vulnerable, a direct consequence of a disclosure system that can no longer keep pace. The ultimate “no patch available” scenario, as seen with Dirty Frag, forces organizations into painful mitigations like disabling core functionality, a direct outcome of the old disclosure model failing to provide sufficient lead time.

The future demands a radical departure from historical norms. The 90-day vulnerability disclosure policy, a relic of a bygone era, is an artifact. Organizations that cling to it will find themselves perpetually behind, facing exploit after exploit, unable to patch faster than attackers can adapt. The only path forward is embrace the speed of AI, both in defense and offense, and architect security processes that operate at machine speed, not human speed. The time for comfort is over; the era of immediate, intelligent exposure management has begun.